Privacy Policy

m-shape

Mercell's Privacy Policy



This privacy policy applies to the information and data collected and processed when surfing on this website, submitting forms on the Mercell webpage for sales, marketing, and communication when registering into the Mercell portal when using the Mercell platform, or several other activities described in this policy. 


This privacy policy describes how we collect, receive, store, use, transfer, and process your data for the aforementioned activities with Mercell users and customers. Moreover, it also describes your rights as a data subject, such as retrieving consent, correcting your personal data, and, in general, how to exercise your rights as a data subject. Several of the activities described in this policy are voluntary and rely on the consent of the user. Such are described in detail in the processing activities section of this document. Data related to the use of the platform and portal registration is regulated in the section Privacy Notice for portal subscription and platform. 


We at Mercell (hereinafter referred to as "Mercell," "We," or "we") strive to use as little personal data as possible. That is why, for example, we have a different section regarding our cookies policy and the use of any third-party cookie trackers through this Website. If you want to learn more about our cookies policy, please click on the following link.  

Definitions and Legal Reference

Before continuing to read our policy, we want to make sure you understand the terminology used in this document. We kindly ask you to get familiar with these definitions before continuing to read this privacy policy. The mentioning of these definitions does not imply the use, collection, or processing of any data that is not strictly mentioned in the respective section of this privacy policy. 


Cookies


Cookies are small sets of data stored in the User's device when visiting a website, either by the website operator or by third parties the web operator has a relation with. More about our cookie policy can be read in the respective policy. 

Personal Data (or Data)

Personal data is considered as any information that, directly or indirectly, alone or in combination with other types of information, allows one to identify or become identifiable as a natural person. This implies that a variety of information could be considered personal data, such as telephone numbers and e-addresses, among others.


Data Subject:

The natural person to whom the Personal Data refers.

Data Processor 

The natural or legal person, public authority, agency, or other body that processes Personal Data on behalf of the Controller, as described in this privacy policy. In this case, the data processor is HubSpot Inc. More details about the processor can be found in the respective section.


Data Controller

The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, including the security measures concerning the operation and use of this Website. The Data Controller, unless otherwise specified, is Mercell.

 

European Union  and European Economic Area ( EU/EEA)

Unless otherwise specified, all references made within this document to the European Union include all current member states to the European Union and the European Economic Area.

Usage Data

Information is collected automatically through websites, which can include the IP addresses or domain names of the computers utilized by the Users who use this Website, the URI addresses (Uniform Resource Identifier), the time of the request, the method utilized to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server's answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system utilized by the User, the various time details per visit (e.g., the time spent on each page within the Application) and the details about the path followed within the Application with special reference to the sequence of pages visited, and other parameters about the device operating system and/or the User's IT environment.

User

Anyone who uses this Website and those who subscribe to the service, portal, or platforms of Mercell. Which, unless otherwise specified, coincides with the Data Subject.


Tracker

Tracker is defined as any technology that enables the tracking of Users, for example, by accessing or storing information on the User’s device. Examples of trackers could be Cookies, unique identifiers, web beacons, embedded scripts, e-tags, and fingerprinting.  

 

Website 

A collection of interlinked Web pages that share a single domain name. Webpage is understood as a hypertext document on the World Wide Web. Web pages are delivered by a web server to the user and displayed in a web browser.

Legal information summary

This privacy statement has been prepared based on provisions of several legislations, including the EU 2016/679 (General Data Protection Regulation), also known as GDPR.
This privacy policy relates solely to the processing activities described in it. Therefore, it does not cover other services that might be described in different documents. 
The request for the service is voluntary and entails that the aforementioned information be processed by Mercell to provide the services requested and provided.  The user is at any moment able to request the correction, modification, and erasing of his/her personal data.


Type of processing

Personal Data is collected for the following purposes and using the following services:

1) Communication between individuals or organizations, including email and phone calls.

This includes transmitting messages,  receiving or sending phone calls, sharing information, and enabling efficient and effective communication between the user and Mercell.  In some special cases, for customer support tickets,  there could be a need to record phone calls for revisit information delivered by call. In such cases, the customer will be presented with the ability to consent for such recording, and the customer could always deny the recording.

Categories of Personal Data: The personal data processed for email and communication purposes may include:

Contact Information: This includes names, email addresses, phone numbers, and any other relevant contact details necessary for initiating and maintaining communication.

Communication Content: This refers to the actual content of the messages sent, such as email text, attachments, images, or other media shared during communication.

Communication History: Data related to customer interactions, including sales inquiries, support requests, and correspondence, may be processed to track customer engagement and provide personalized assistance.

Metadata: Metadata associated with the communication may be processed, including timestamps, sender and recipient information, IP addresses, and other technical data that helps manage and track the communication process.

Legal Basis for Data Processing: The legal basis for processing personal data for email and communication purposes may vary depending on the specific situation and applicable laws. Common legal bases include:

Consent: In the case of potential customers or users that contact the company for information on prices and marketing. The individual shall have provided their explicit consent to send them emails or communicate with them. Thus, processing may be based on their consent. This can be withdrawn by sending a request to the contact email address. When relevant, Mercell would request consent for recording call from the customers, the denial of consent will not affect in anyway the service provided to the customer.

Contractual Necessity: When communication is necessary to fulfill a contract or to take pre-contractual steps at the request of the data subject, the processing may be based on the necessity of the contract. This is related to communication with customers.

Legitimate Interests: The processing may be justified under this legal basis, such as in the case of communicating considered essential or required by law the data subject.

2) Facilitate marketing communications with individuals or organizations. This includes sending promotional materials, updates, offers, and other marketing messages to promote products, services, or events.

Categories of Personal Data: The personal data processed for marketing communications may include:

Contact Information: This includes names, email addresses, phone numbers, job titles, postal addresses, and any other relevant contact details necessary for delivering marketing communications.

Demographic Information: Additional demographic data such as location, preferences, and purchasing history may be processed to personalize marketing messages and tailor them to specific target audiences.

Interaction Data: Information about individuals' interaction with marketing materials, such as email open rates, click-through rates, website visits, and engagement with specific campaigns, may be processed to evaluate and optimize marketing strategies.

Legal Basis for Data Processing: The legal basis for processing personal data for marketing communications may vary depending on the specific situation and applicable laws. Common legal bases include:

Consent: If individuals have provided their explicit consent to receive marketing communications, the processing may be based on their consent. Consent should be freely given, specific, informed, and revocable.

Legitimate Interests: Legitimate interests may include direct marketing, in the case of previous customer relationship management, that has not opted out of the marketing messages.

Data Recipients: In the context of marketing communications, the recipients of personal data may include:

Marketing Teams: Personal data may be accessed and processed by individuals or teams responsible for planning, executing, and evaluating marketing campaigns and strategies.

Service Providers: Data may be shared with third-party service providers who assist in delivering marketing communications, such as email service providers, marketing automation platforms, customer relationship management (CRM) systems, or advertising networks.

3) Sales Process: including customer acquisition, lead management, order fulfillment, and customer relationship management. This involves collecting, analyzing, and utilizing personal data to support sales activities and provide a personalized experience for customers.

Categories of Personal Data: The personal data processed for sales purposes may include

Contact Information: This includes names, email addresses, phone numbers, postal addresses, Job titles, and any other relevant contact details necessary for establishing and maintaining communication with potential or existing customers.

Transactional Data: Information related to customer transactions, such as purchase history, order details, payment information, and billing/shipping addresses, may be processed to manage sales orders and provide customer support.

Communication History: Data related to customer interactions, including sales inquiries, support requests, and correspondence, may be processed to track customer engagement and provide personalized assistance.

Sales Analytics: Sales data, including conversion rates, sales performance, and customer preferences, may be processed to analyze sales trends, identify opportunities, and optimize sales strategies.

Legal Basis for Data Processing: The legal basis for processing personal data in sales may vary depending on the specific situation and applicable laws. Common legal bases include

Contractual Necessity: When processing personal data is necessary for the performance of a contract or to take pre-contractual steps at the request of the data subject, the processing may be based on the necessity of the contract.

Legitimate Interests: The processing may be justified under this legal basis. Legitimate interests due to customer relationship management, mutual benefit for both parties and sales analytics.

Consent: If individuals have provided their explicit consent to the processing for sales analytics or for communication-related to that, the processing may be based on their consent. Consent should be freely given, specific, informed, and revocable.

4) Use of analytics tools to analyze and understand user behavior in order to improve website functionality and provide a better user experience. It involves collecting and analyzing data to gain insights into how visitors interact with a website, platforms optimize content and design, and make data-driven decisions.

Categories of Personal Data: The personal data processed during webpage surfing and the use of analytics tools may include:

Usage Data: This includes information about how visitors interact with the website, such as the pages visited, time spent on each page, click patterns, scroll depth, and session duration. It helps understand user engagement and behaviour.

Device and Technical Data: Information about the devices used to access the website, such as IP addresses, device type, operating system, browser version, screen resolution, and language preferences, may be processed for troubleshooting, optimization, and ensuring compatibility.

Referral Data: Data regarding the source that directed the user to the website, such as search engine queries, referring URLs, campaign parameters, or social media referrals, may be processed to assess marketing efforts and measure website traffic.

Demographic Data: Optional demographic information voluntarily provided by users' location may be processed if collected through consent-based mechanisms, such as surveys or user preferences.

Legal Basis for Data Processing: The legal basis for processing personal data during webpage surfing and the use of analytics tools may vary depending on the specific situation and applicable laws. Common legal bases include:

Consent: Consent is required under applicable data protection regulations; users are asked for consent before tracking their activities using analytics tools.

5)  Demo and brochure request: Data is processed to provide the requested materials and communicate with the requester regarding the requested service. The collected data is used to fulfill the specific service request and to provide relevant information about the Mercell services.
Categories of Personal Data: The personal data collected for the request of a demo and brochure may include

Contact Information: This includes names, email addresses, phone numbers, postal addresses, job titles, company name, and any other relevant contact details necessary for establishing and maintaining communication with potential or existing customers.

Legal Basis for Data Processing: The legal basis for processing personal data for the request of a demo and brochure may vary depending on the specific situation and applicable laws. Common legal bases include:

Contractual Necessity: If the data processing is necessary for the performance of a contract or to take pre-contractual steps at the request of the data subject, the processing may be based on the necessity of the contract.

Consent: The request for a brochure is freely given, specific, informed, and revocable at the moment of sending the request. Thus the processing of the data is based on consent 

6) Invoice handling:  ensuring accuracy, facilitating payment, and maintaining proper financial records. It involves collecting, processing, and storing personal and financial data necessary for invoicing purposes.

Categories of Personal Data: The personal data processed for invoice handling and sending may include:

Contact Information: This includes the name, address, email address, and phone number of the invoiced party or the designated recipient for sending the invoice.

Financial Information: Personal data related to financial transactions, such as bank account details, payment card information, or other payment-related information, may be processed for the purpose of invoice payment and record-keeping.

Tax Identification Information: In certain jurisdictions, tax identification numbers or other tax-related information may be processed to comply with applicable tax laws and regulations.

Product or Service Details: Information related to the products or services provided, such as descriptions, quantities, prices, and any applicable taxes or discounts, may be processed for accurate invoicing.

Legal Basis for Data Processing: The legal basis for processing personal data for invoice handling and sending may vary depending on the specific situation and applicable laws. Common legal bases include:

Contractual Necessity: Processing personal data for invoice handling and sending is necessary for the performance of a contract between the invoiced party and the data controller.

Compliance with Legal Obligations: Processing personal data may be necessary to comply with legal obligations, such as tax laws and regulations related to invoicing and record-keeping.

7) Storing and protecting customer data in a database: This is to maintain a centralized and organized repository of information related to customers. It involves collecting, organizing, and storing personal data to enable effective customer management, communication, and support.  For Customers of the S2C platform, there will be required to integrate data from a different mercell platform to the CRM system. This process will use Opic to automate the data export, reduce the risk of data loss and human errors, and keep the data up-to-date across systems. 

Categories of Personal Data: The personal data processed for storing customer data in a database may include:

Identification Information: This includes the customer's name, address, country, contact details (such as phone number and email address), any unique identifiers (such as customer ID or account number), job title, organization name, and VAT number. 

Transaction History: Details of customer transactions, including purchase history, order details, payment information, and invoicing data, may be stored for reference, analysis, and customer service purposes.

Communication History: Records of past interactions between the customer and the organization, such as emails, chat logs, support tickets, or call recordings, may be stored to provide a comprehensive customer service experience.

Consent and Preferences: Information related to customer consent for marketing communications and preferences for specific products, services, or communication channels may be stored to ensure compliance and deliver personalized experiences.

Legal Basis for Data Processing: The legal basis for processing personal data in storing and protecting customer data in a database may vary depending on the specific situation and applicable laws. Common legal bases include:

Contractual Necessity: When processing personal data is necessary for the performance of a contract or to take pre-contractual steps at the request of the data subject, the processing may be based on the necessity of the contract.

Legitimate Interests: The processing may be justified under this legal basis due to customer relationship management, mutual benefit for both parties, and sales analytics.
Compliance with Legal Obligations: Processing personal data may be necessary to comply with legal obligations, such as tax laws and regulations related to invoicing and record-keeping.

8) Tag management: manage and deploy tags on a website or digital platform. Tags are snippets of code that collect data or enable third-party services, such as analytics, advertising, or remarketing. Tag management systems streamline the process of implementing and maintaining tags, improving website performance and data governance.

Categories of Personal Data: The personal data processed in the context of tag management may include:

User Identification: Tag management systems may collect and process user identification data, such as IP addresses, device information, or cookies, for the purpose of associating user interactions with specific tags or tracking user behavior.

Interaction Data: Tag management systems may collect and process data related to user interactions, such as clicks, page views, form submissions, or other engagement metrics. This data helps track user behavior and trigger relevant tags or services.

Analytics Data: Tag management systems may integrate with analytics platforms to collect and process aggregated and anonymized data about user behavior, website performance, or campaign effectiveness. This data helps optimise the website and improve user experiences.

Consent Data: In the context of consent management, tag management systems may collect and process data related to user consent preferences, such as consent status, consent timestamps, or cookie consent choices. This data helps ensure compliance with applicable data protection laws and regulations.

Legal Basis for Data Processing: The legal basis for processing personal data for tag management may vary depending on the specific situation and applicable laws. Common legal bases include:

Legitimate Interests: Legitimate interests include website performance improvement, data accuracy, and user experience enhancement.

Consent: Consent is obtained in accordance with legal requirements and must be freely given, specific, informed, and revocable.

9) Email validation:  to verify the accuracy and validity of email addresses provided by users. The tool analyses email addresses to identify potential errors, inaccuracies, or fraudulent addresses, ensuring that businesses can maintain a clean and reliable email list for effective communication.

Categories of Personal Data: The personal data processed in the context of an email validation tool may include:

Email Addresses: The tool processes the email addresses provided by users for validation purposes. This data is used to verify the syntax, domain, and overall validity of the email address.

Legal Basis for Data Processing: The legal basis for processing personal data for an email validation tool may vary depending on the specific situation and applicable laws. Common legal bases include:

Legitimate Interests: Validating email addresses helps ensure the efficiency of communication, prevents potential issues caused by invalid or inaccurate email address and ensure a healthy IT environment.  

10)  Webpage heatmap: to analyze user behavior and interactions on a website, visualized through a heatmap. This data helps businesses understand how users navigate, interact, and engage with webpages, enabling them to make data-driven decisions to improve user experience and optimize webpage design.

Categories of Personal Data: The personal data processed in the context of a webpage heatmap may include:

Interaction Data: The heatmap tool collects and processes data related to user interactions on a webpage, such as mouse movements, clicks, scrolling behavior, or touch gestures on mobile devices. This data is used to generate visual representations of user activity and engagement.

Device Information: The tool may collect and process device-related data, such as IP addresses, browser types, operating systems, screen resolutions, or device models. This information helps provide context for user behavior analysis.

Legal Basis for Data Processing: The legal basis for processing personal data for a webpage heatmap may vary depending on the specific situation and applicable laws. Common legal bases include:

Consent: The data is processed only for user consent which shall be obtained before processing personal data for a webpage heatmap, especially if additional processing activities or data retention is involved.

11) User Development Training: The purpose of this data processing activity is to facilitate the enhancement of user skills and knowledge in the field of public procurement through the utilization of a third-party vendor. The third-party vendor platform is external to the platforms and assists in the delivery of educational content and interactive learning experiences to users.

Categories of personal data: The data processed in the context of user development training includes user interactions, progress tracking, and performance. This includes Identification Information such as customer's name, address, country,  job title, contact details (such as phone number, address,  and email address), and any unique identifiers.

Legal Basis for Data Processing: The legal basis for processing personal data in may vary depending on the specific situation and applicable laws. Common legal bases include:

Contractual Necessity: When processing personal data is necessary for the performance of a contract In case of acquiring the paid feature for training within platforms  

Consent: Consent: In case the processing is related to a free training trial or additional information is not required to be given to the customer, the processing of this data is related to the consent provided by the user at the moment of taking the training course or making the input of the data field.

12)   Subscription system management: This data processing activity involves the processing of customer data for subscription orders, licenses, and invoices. The ERP system consolidates financial and contact information from customers, such as subscription order records, number of license orders, payment amounts, and bank details for invoicing and invoice sending. The purpose of this data processing activity is to enable the functionality for customers to subscribe to Mercell services and facilitate the invoicing process and other financial operations needed for completing the order of the subscription requested by the customer. The subscription management system is built with several integrations with the Netsuite system, the integrations of the system provide order confirmation, and invoice sending. This also includes the billing system and the e-invoice functionality of the system.

Categories of personal data: The personal data processed in the context of subscription system management may include:

Contact Information: This includes the name, address, email address, and phone number of the invoiced party or the designated recipient for sending the invoice.

Financial Information: Personal data related to financial transactions, such as bank account details, payment card information, or other payment-related information, may be processed for the purpose of invoice payment and record-keeping.

Tax Identification Information: In certain jurisdictions, tax identification numbers or other tax-related information may be processed to comply with applicable tax laws and regulations.

Product or Service Details: Information related to the products or services provided, such as descriptions, quantities of licenses, prices, and any applicable taxes or discounts, may be processed for accurate invoicing.

Legal Basis for Data Processing: The legal basis for processing personal data for subscription system management may vary depending on the specific situation and applicable laws. Common legal bases include:

Contractual Necessity: Processing personal data for subscription handling is mainly conducted to perform the contract between the Mercell party and the data user that acquired different types of subscriptions.

Compliance with Legal Obligations: Processing personal data may be necessary to comply with legal obligations, such as tax laws and regulations related to invoicing and record-keeping.


13) Digital signature: This data processing activity involves the digital signature of documents for order confirmation and invoice. This activity also includes notification via email and email authentication for email sending.

Categories of personal data: The personal data processed in the context of digital signature may include:

Contact Information: This includes the name, address, email address, job title, and phone number, and company number of the signing party. These details are essential for uniquely identifying the signer and associating their signature with the document.

Legal Basis for Data Processing: The legal basis for processing personal data for digital signatures may vary depending on the specific situation and applicable laws. Common legal bases include

Legitimate interest: In the context of document signing, the organization's interest in ensuring document integrity, signature party authentication  , and the individual's interest in securely signing documents align under legitimate interest.

 

14) Maintaining and supporting the system: these data processing activities involve any type of Maintenance and support of IT systems, which involves regular monitoring, updates, and troubleshooting to ensure smooth and secure operation from the subscription management system.

Categories of personal data: The personal data processed in the context of maintaining and support may include all the data included in te subscription management system item:

Contact Information: This includes the name, address, email address, and phone number of the invoiced party or the designated recipient for sending the invoice.

Financial Information: Personal data related to financial transactions, such as bank account details, payment card information, or other payment-related information, may be processed for the purpose of invoice payment and record-keeping.

Tax Identification Information: In certain jurisdictions, tax identification numbers or other tax-related information may be processed to comply with applicable tax laws and regulations.

Product or Service Details: Information related to the products or services provided, such as descriptions, quantities of licenses, prices, and any applicable taxes or discounts, may be processed for accurate invoicing.

Legal Basis for Data Processing: The legal basis for processing personal data may vary depending on the specific situation and applicable laws. Common legal bases for this include

Legitimate interest: . In the context of maintenance, the organization is interested in ensuring system integrity and the smooth operation of the system.

Contractual Necessity: Processing personal data to be able to continue providing the service included in the subscription contract between the Mercell party and the data user that acquired different types of subscriptions.

15) Data Lakes and Warehousing Management:
 
This data processing activity involves the acquisition, storage, and management of data lakes and data warehousing systems within our organization for statistic analysis and development purpose. The process encompasses various stages, analytics, monitoring anomalies, data application development, and the secure sharing and consumption of real-time or shared data within our CRM system.

Categories of personal data: The personal data processed in
 
Contact Information: This includes the name, address, email address, and phone number of the invoiced party or the designated recipient for sending the invoice.
 
Financial Information: Personal data related to financial transactions, such as bank account details, payment card information, or other payment-related information, may be processed for the purpose of invoice payment and record-keeping.
 
Tax Identification Information: In certain jurisdictions, tax identification numbers or other tax-related information may be processed to comply with applicable tax laws and regulations.

 Product or Service Details: Information related to the products or services provided, such as descriptions, quantities of licenses, prices, and any applicable taxes or discounts, may be processed for accurate invoicing.

Legal Basis for Data Processing: The legal basis for processing personal data may vary depending on the specific situation and applicable laws. Common legal bases for this include

Legitimate interest: Legitimate interest allows for the processing of personal data when it is necessary for a legitimate purpose and when the individual's interests, rights, and freedoms are not overridden. For this particular purpose, Enhanced Data Analysis: The organization has a legitimate interest in creating a data lake to facilitate advanced data analysis, fostering insights that drive informed decision-making. Improved Operational Efficiency: The organization aims to streamline data storage and access, promoting efficiency in data handling and reducing redundancy. Innovation and Development the creation of a data lake aligns with the organization's interest in fostering innovation, enabling the development of new data-driven applications and solutions. Business Intelligence: Establishing a data lake supports the organization's legitimate interest in leveraging business intelligence tools for strategic planning and forecasting.

16) Integration between IT Systems, CRM, and Subscription Management: This data processing activity involves the integration between the IT system, Customer Relationship Management (CRM), and Subscription Management systems. The primary objective is to ensure seamless coordination and data flow between these systems, enhancing operational efficiency and providing a unified experience for users. The integration encompasses various data processing activities, including maintenance, support, and synchronization of data between systems.

Categories of Personal Data:

Contact Information:

Name, address, email address, and phone number of individuals associated with the CRM and Subscription Management systems.

Financial Information:

Data related to financial transactions, including bank account details, payment card information, or other payment-related details for CRM and Subscription Management transactions.

Tax Identification Information:

Tax identification numbers or other tax-related information for compliance with applicable tax laws and regulations related to CRM and Subscription Management.

Product or Service Details:

   - Information related to products or services provided, including descriptions, quantities of licenses, prices, and any applicable taxes or discounts, for accurate invoicing and CRM interactions.

Legal Basis for Data Processing:

The legal basis for processing personal data in this integration activity includes:

Contractual Necessity:

Processing personal data to fulfill the terms of subscription contracts between the Mercell party and data users, ensuring the seamless integration of systems to deliver contracted services.

 

Legitimate Interest:

In the context of maintaining and supporting the integrated systems, the organization has a legitimate interest in ensuring data accuracy, system integrity, and the smooth operation of the integrated IT, CRM, and Subscription Management systems.

 

17) Data Processing for Survey:

 

As part of our commitment to continuously improve our services and understand our customers' needs better, we may occasionally conduct surveys to gather feedback and insights. When sending out surveys, we will request your consent and you can always either deny the survey or after submitting request to exercise your right as establishes in the applicable privacy regulation.

 

Categories of Personal Data:

The personal data processed for survey distribution may include:

 Contact Information: This includes the participant's name, email address, and any other contact details provided voluntarily for the purpose of survey participation.

Demographic Information: Optional demographic information such job tittle, job place, occupation, and location may be collected to help analyze survey responses and identify trends.

Survey Responses: The responses provided by participants to survey might also include other type of personal data when answering the questions included in the survey. The data is stored and analyzed to gain insights into customer preferences, satisfaction levels, and areas for improvement.

 

Legal Basis for Data Processing:

The legal basis for processing personal data for survey distribution is primarily based on consent. By voluntarily participating in our surveys and providing personal data, participants are consenting to the processing of their information for the stated purposes. Participants have the right to withdraw their consent at any time, and their data will be promptly deleted from our records upon receipt of such withdrawal.

 

Retention Period:

Personal data collected for survey distribution purposes will be retained only for 1 year. Once the survey analysis is complete and no longer needed, personal data will be securely deleted or anonymized to prevent the identification of individual participants.

Relevant parties

 

Data Controller

Mercell 
Webpage: www.mercell.com 
post@mercell.com

Data Processors


A) Hubspot Inc
1 Sir John Rogerson's Quay, Dublin 2
Phone: +353 1 5187500
Website: https://www.hubspot.com/
Place of processing: Germany, Ireland, United States.
Use for data processing:1,2,3,4,5,6,7, 17


B) Google Ireland LTD 
Gordon House Barrow Street Dublin 4,
Phone: 353 1442 9610
Website: https://policies.google.com/privacy?hl=en-US
Place of processing: Germany, Ireland, Bulgaria
Use for data processing: 8

C) Hotjar Ltd
Dragonara Business Centre 5th Floor, Dragonara Road,
Paceville St Julian's STJ 3141
Phone number: (855) 464-6788.
Website: https://www.hotjar.com/privacy/
Place of processing: Malta, Ireland, Germany, UK, Spain
Use for data processing: 10


D) ZeroBounce
Yanonali St., Santa Barbara, California 93101
Phone number: EU: +44-330-808-4814
Website: https://www.zerobounce.net/
Place of processing: Romania, Germany 
Use for data processing:  9


E) 360LEARNING
 French Société Anonyme, with registered offices at 117 rue de la Tour,
75116
Phone Number: +44 7548255001
Website: https://360learning.com/
Place of processing: France, Ireland 
Use for data processing: 11

F) Oracle Corporation UK Limited
Thames Valley Park Reading RG6 1RA United Kingdom
Phone number:   +44 118 924 0000
Website: www.netsuite.com
 Place of processing: 
UK, Netherlands, Germany
Use for data processing: 12

G) Workato 
WeWork, 1 Poultry London EC2R 8EJ
Website: https://www.workato.com/
Place of processing: Germany 
Use for data processing: 16

H) MonetizeNow Netherlands B.V.
Korte Lijnbaanssteeg 1-4212
1012SL, Amsterdam
The Netherlands
Website: https://www.monetizenow.io/
Place of processing: Sweden. USA. 
Use for data processing: 12

I) Zone &co Company Software Consulting EMEA B.V.
Evert van de Beekstraat 11118 CL Schiphol
Website: https://www.zoneandco.com/
Place of processing: Germany, Ireland, Luxembourg
Use for data processing: 12

J) DocuSign International (EMEA) Limited
5 Hanover Quay, Grand Canal Dock, Dublin, D02 VY79, Ireland
Website: https://www.docusign.com/company/contact-us
Place of processing: Ireland
Use for data processing: 13

K) Novutech ApS
Oesterbrogade 226 st 1  Suite #177 Copenhagen, 2100
Website: https://novutech.com/
Place of processing: Denmark, Belgium 
Use for data processing: 14

L) Attlassian 
Herbert Smith Freehills Llp Exchange House, Primrose Street, London, EC2A 2EG. 
Website: https://www.atlassian.com/
Place of processing: Germany Ireland 
Use for support tickets

M) Techtorch 
Website: https://www.techtorch.io/
Place of processing:  Woodside, California, USA
Use for data processing: 14 (Only CRM system)

N) Snowflake Inc 
Bozeman, Suite 3A, 106 East Babcock Street, United States,
Website: www.snowflake.com 
Place of processing: USA
Use for data processing: 15 

O) Telavox AB
Stora Varvsgatan 6A 211 19 Malmö 040–622, Sweden
Website: https://www.telavox.com/
Place of processing: EU/EEA
Use for data processing: 1

Types of Data Collected

The type data collected are described in each of the processing activities. Personal Data may be freely provided by the user by consenting to some processing activities or requesting some services that require processing of personal data. In the case of another type of data, such as Usage Data, it may be collected and stored in your browser automatically when using a website, since failure to provide this Data may make it impossible for this Website to provide its services. In cases where this Website specifically states that some Data is not mandatory, Users are free not to communicate this Data without consequences to the availability or the functioning of the Service.


Users who would like to learn more about how we process and handle their data are welcome to contact Mercell. 


Users are responsible for any third party that obtains, publishes, or shares Personal Data through the use of this Website (such as could be the case of browsers) and confirm that they have given the third party's consent or that such third party has a valid legal basis to provide the Data to Mercell.

Methods of processing

Mercell takes appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Data.

The Data processing is carried out using computers and other technical measures, following organizational procedures, such as limiting the access of the data and modes strictly related to people and systems needed to fulfill the purposes of the Service. Mercell only allows the  Data to be accessible to certain types of persons in charge involved with the operation of the processing activities. 

Legal basis for processing

Mercell may process Personal Data relating to Users if one of the following conditions is applicable each of the legal basis applicable are mentioned in each of the processing activities:

  • Users have given their consent for one or more specific purposes. The user can at any moment retrieve their consent and finish the subscription service and, therefore, the processing of personal data;
  • Provision of Data is necessary for the performance of an agreement with the User and/or for any obligations stated in the terms and conduction thereof;
  • Processing is necessary for compliance with a legal obligation to which Mercell. requires to know information about the data subject;
  • Processing is related to a task that is carried out in the public interest or in the exercise of official authority vested in Mercell
  • Processing is necessary for the purposes of the legitimate interests pursued by Mercell or by a third party.

Users can at any moment request Mercell to clarify the specific legal basis that applies to each case of processing, and in particular, whether the provision of Personal Data is a statutory or contractual requirement or a requirement necessary to enter into a contract.

 

Place.


The Data is processed at the Controller and processor´s operating offices and in any other places where the parties involved in the processing are located. The data processing location is either stated in the data processor section and the Mercell subsidiary location: 

Norway, 
Denmark, 
Belgium, 
Sweden,
Finland,
Netherlands,
Ireland, 
Luxembourg,
USA, 
Malta.

We strive not to transfer your data to any location outside EEA; however, depending on specific processing activities within the functionalities of our processors, we  involve transferring the User's Data outside the EU/EEA. The processors that transfer such data are mentioned in the processor section under place of processing, which states the countries where the data is processed.  When such a transfer takes place, our processors use the respective mechanism provided in Chapter V of the GDPR to ensure compliance with the EU/EEA privacy framework. More details can be requested from Mercell.
Users are also entitled to learn about the legal basis of Data transfers to a country outside the EU, EEA, or to any international organization governed by public international law or set up by two or more countries and about the security measures taken by Mercell to safeguard their Data. Users can contact Mercell for more information on the matter

Retention time


Personal Data shall be processed and stored for as long as required by the purpose they have been collected for.

Therefore:

  • Personal Data collected for purposes related to the performance of a contract between Mercell., and the User shall be retained until such contract has been fully performed or the data user unsubscribes to the service.
  • Personal Data collected for the purposes of Mercell legitimate interests shall be retained as long as needed to fulfill such purposes. Users may be informed if such data storage takes place and regarding the legitimate interests pursued by Mercell within the relevant sections of this document or by contacting Mercell
  • Mercell may be allowed to retain Personal Data for the period whenever the User has given consent to retain the data for a certain period of time when consenting to data processing,  the data user can prolong the iteration time by renewing the consent and as long as such consent is not withdrawn before the end of the service. 
  • Mercell may be obliged to retain Personal Data for a longer period whenever required to do so for the performance of a legal obligation or upon order of an authority. In such cases, only if allowed by law shall this be notified to the data subject 
  • Once the retention period expires, Personal Data will be deleted. Therefore, the right to access, the right to erasure, the right to rectification, and the right to data portability cannot be enforced after the expiration of the retention period.

More information regarding the retention time can be requested to Mercell by contacting customer service.


The purpose of processing


The Data concerning the User is collected to allow Mercell to provide its Service, comply with its legal obligations, respond to enforcement requests, and protect its rights and interests: as well as the following:

Contacting the User, managing contacts, and sending messages.

For specific information about the Personal Data used for each purpose, refer to the type of processing section.

The Rights of Users

Users may exercise certain rights regarding their Data processed by Mercell 
In particular, Users have the right to do the following:

  • Withdraw their consent at any time. Users have the right to withdraw consent to the processing of their Personal Data.
  • Object to processing of their Data. Users have the right to object to the processing of their Data if the processing is carried out on a legal basis other than consent.
  • Access their Data. Users have the right to learn and obtain disclosure regarding certain aspects of the processing and request a copy of the Data undergoing processing.
  • Restrict the processing of their Data. Users have the right, under certain circumstances, to restrict the processing of their Data. In this case, Mercell will not process its Data for any purpose other than storing it.
  • Have their Personal Data deleted or otherwise removed. Users have the right, under certain circumstances, to request and obtain the erasement of their Data from Mercell processing and service.
  • Receive their Data and have it transferred to another controller. Users have the right to receive their Data in a structured, commonly used, and machine-readable format and, if technically feasible, to have it transmitted to another controller without any hindrance. This provision is applicable provided that the Data is processed by automated means and that the processing is based on the User's consent, on a contract of which the User is part, or on pre-contractual obligations thereof.
  • Lodge a complaint. Users have the right to bring a claim before their competent data protection authority.

Details About the Right to Object to Processing

Where Personal Data is processed for a public interest, in the exercise of an official authority vested in Mercell, or for the purposes of the legitimate interests pursued by Mercell, Users may object to such processing by providing a ground related to their particular situation to justify the objection.


How to Exercise These Rights:

Any requests to exercise User rights can be directed to Mercell through the contact details provided in this document. These requests can be exercised free of charge and will be addressed by Mercell as early as possible and always within one month. Any request can be directed to the customer success manager or post@mercell.com 

Additional Information About Data Processing


In addition to what is stated above, the user shall be aware of the following aspects regarding data processing and this privacy policy. 
Processing related to legal or court requirements 
The User's Personal Data may be used for legal purposes by Mercell in Court or in the stages leading to possible legal action arising from improper use of this Website or the related Services.

The User declares to be aware that Mercell may be required to reveal personal data upon request of public authorities.
Additional Information about User's Personal Data
 
In addition to the information contained in this privacy policy, this Website may provide the User with additional and contextual information concerning particular Services or the collection and processing of Personal Data upon request.

 

Privacy notice for portal subscription and use of the platform

This Privacy Notice provides you further information related  to how and why  Mercell (name of the group) (hereinafter referred to as "Mercell," "We," or "we").  collects and processes your personal data when you use the Mercell platform.

The Privacy Notice is addressed to customers of Mercell and other private individuals using Mercell services.,   Customers of Mercell are or may be any legal person who hired or intends to hire Mercell services, including any legal person who acts on behalf of the customer.

For us, it is important that your personal data and personal integrity are protected and dealt with in accordance with the applicable legal framework, and therefore we ensure that the information we have about you is processed in a lawful and transparent manner in accordance with the data protection regulations.

We referred to  Personal data as any information that alone or by a combination with other information could be used to identify is about or can be related to an identified or identifiable natural person.

At Mercell, we ensure that your personal data is processed in accordance with the applicable data protection regulations at all times.

We are regarded as data controllers for the processing of personal data described in this Privacy Notice. You will find contact details below.

CONTENT OF THE  PERSONAL DATA TO PROCESS WHO DO WE PROCESS PERSONAL DATA ABOUT?

This Privacy Notice addresses Mercell's processing of personal data about the following categories of personal data: 

  • Contact data of any person persons and employees of customers who use the Mercell portals;
  • Contact data of people and other private individuals stated in public tender documents;
  • Other personal private individuals who use the services offered by Mercell.

 


PURPOSE, CATEGORIES OF PERSONAL DATA, AND LEGAL BASIS


Below is a description of the purposes for which we process personal data, and what categories of personal data we process, as well as the legal basis for the processing.

I. Processing of personal data in connection with registration in the Mercell portals

In connection with the registration and administration of your user in the Mercell portals, we process the following personal data about you:

  • Name;
  • Position in the company;
  • Email address;
  • User name;
  • Telephone number;
  • Language preferences;
  • LinkedIn profile ( not required );
  • Photo ( not required );
  • Mailing address;
  • Identification number (Only in case the ID matches the organizational ID in certain countries );
  • Date of birth ( not required );
  • Fax number ( not required );
  • Job title, role ( not required );
  • Time zone;
  • Employee number ( not required );
  • Nationality ( not required );
  • System preferences;
  • Contact language;
  • Data related to customership and contractual relationships such as order and purchase data in different channels or ordered services.


Personal data that is registered when you create a user profile will mainly be used to complete the purchase or provide a service based on what was registered or collected. For example, we will use your email address to provide the tender notification service that your employer has signed up for. Furthermore, your name may be published in the Mercell portals as a contact person for your employer in connection with an announced tendering process.

In addition, personal data can be used to document the use of the Mercell portals since all activities are logged for IT security reasons. When a user logs into the portals, a unique ID is created. This ensures that the user does not have to enter a username and password multiple times during a given period of time. The ID also ensures the aforementioned logging of activities. Information created as a result of the use of the portals, including IP addresses, is stored on a central server belonging to Mercell. This information is only used for support purposes and is never provided to third parties.

For all processing described under this section, our legal basis for this processing activity will be either Article 6 (1) Letter B of the GDPR (Necessary for the performance of contracts) or Letter F (legitimate interest), such as when the processing of personal data is necessary to prevent fraud. For all “not required” fields, the legal basis is Article 6 (1) A (Consent)

II. Processing of personal data when you sign up for courses, webinars, or seminars.

If you sign up for courses or similar events via Mercell, we will process general contact information about you (name, employer,  and email). We process this personal data in order to offer you the course. Our legal basis for this processing activity is Article 6 (1) letter b ( Necessary for the performance of a contract) of the GDPR.

Furthermore, we may share personal data about you with third parties when we use external course providers so that they can prepare the course content based on the participants. We only disclose the information relevant to the fulfillment of such this purpose. The legal basis for this processing activity is article 6 (1) letter b (agreement) and Article 6 (1) letter f (GDPR) (legitimate interest).

III Processing of personal data in connection with the collection of tender documents from public databases.

As part of the services Mercell provides, public tender documentation will be obtained from public databases such as Doffin and TED. In this connection, Mercell will be able to process contact information (name, email, employer, position) of employees of actors in tender processes, as well as other personal data that may be stated in these tender documents.

This personal data will only be used to disclose tenders in the Mercell portals so that the buyer and supplier can get in touch with each other. This is a type of processing Mercell has a legitimate interest in performing, as this is an information service that contributes to the fact that already publicly announced tenders reach a larger circle of suppliers. The legal basis for processing this type of personal data follows from article 6 (1) letter f of the GDPR (legitimate interest).

IV Processing of personal data in connection with direct communication with you.

Mercell strives for our customers to get updated and good information about various updates and other conditions we believe are relevant for our customers to enjoy the services we offer. From time to time, we will, therefore send out newsletters and other relevant information to people who have registered a user profile in the Mercell portals.

If we send you inquiries that contain marketing for our services, we will ask for your consent first. The consent will be managed via a link in the email sent to you and will also be available on Mercell´s website. In some cases, consent can be collected through the Mercell portals. Our basis for processing this type of inquiry will be article 6 (1) letter a (consent) of the GDPR and § 15 (1) of the Norwegian Marketing Act, or similar regulation in local Marketing regulation.

In other cases, we will send you newsletters and other inquiries containing information only and not marketing, typically information about the product you use with us, the tender notification service, tender news, an invitation to seminars/webinars or similar. The legal basis for processing such inquiries is article 6 (1) letter f of the GDPR (legitimate interest).

 

V. Processing of Personal Data for Security Purposes.

At Mercell, we prioritize the security of our platform and the protection of our users' information. As part of our commitment to providing a secure environment, we may process personal data for security purposes, including the collection of IP addresses, device information, user behavior, and logs on system, and access attempts.

In the event of suspicious activities or security-related incidents, we may communicate directly with you to address concerns, provide updates, or seek additional information. This communication ensures that we can maintain the integrity and security of our platform and promptly address any potential risks.

The legal basis for processing personal data for security purposes is Article 6(1)(f) of the GDPR, as it is based on our legitimate interest in maintaining a secure and trustworthy environment for our users. We believe that processing data for security purposes is essential to safeguard the confidentiality, integrity, and availability of the information shared on our platform.


VI  Processing of Personal Data for Support Tickets.


At Mercell, we are dedicated to providing exceptional support to our users. When you submit a support ticket, we collect and process personal data to address your inquiries, resolve issues, and ensure the optimal functioning of our services.

The information gathered through support tickets may include details such as your name, contact information, and specific details related to the support issue. This data is used solely for the purpose of providing assistance and resolving the reported problems.

Our legal basis for processing personal data in support tickets is Article 6(1)(b) of the GDPR, as it is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract.

VII Customer surveys

Mercell processes personal data in connection with customer satisfaction surveys. It is necessary for Mercell to conduct such surveys in order to obtain feedback on our products and services so that they can be constantly developed and improved. By participating in the survey, you agree that we may process your data.

Participation is voluntary. Mercell has a legitimate interest in processing your contact information for this purpose.

IX Product development and analysis

Mercell may collect information about you as a user for analysis of how you, as a customer, use Mercell's services on digital surfaces. This information is used to develop and prepare the functionality of existing products and services. We use Amplitude and Hubspot for traffic analysis on our website. See more about cookies below.

MERCELL AS DATA PROCESSOR

For several processing activities, Mercell will act as a data processor instead of a controller. This will mainly apply where buyers or suppliers upload documents containing personal data in the Mercell portals. In such cases, the purchaser or supplier uploading the relevant document will be responsible for the processing of the personal data contained in the document, and this party is thus responsible for ensuring that the processing takes place in accordance with the GDPR.


When the supplier sends information to the buyer, the buyer assumes the role of the data controller. Any document or information, including the contract sign, will be controlled by the buy side user. Mercell will follow up on the instructions of the data controller. Any type of request from the supply side related to the document or the interaction between the supply and buy-side user has to be addressed directly to the controller (Buy-side). This includes contract management between the user, documentation, messages, and communication. Among others.

Mercell enters into data processing agreements with all buyers and suppliers for whom we process personal data. 

WHO DO WE SHARE INFORMATION ABOUT YOU WITH?


Your personal data is treated confidentially with us, and only those with the necessary service needs with us will have access to your personal data. As a general rule, we will, therefore, not share your personal data with anyone outside of Mercell.

In some cases, we may need to share your personal data with others. The people we share your information with are established on the section relevant parties

Our IT service providers may access personal data if personal data is stored with the supplier, or the supplier otherwise gains access to personal data about you in accordance with the contract with us. This applies, for example, to our customer relationship management systems provider (Hubspot) or support service providers. Please note that some service providers could be located outside the EU/EEA . If personal data is transferred to countries outside the EU/EEA, Mercell will take appropriate measures and conduct the appropriate assessment to protect your security and to ensure that the transfer takes place with a sufficient degree of protection.  Please refeer to the section relevant parties for more information

Other companies within the Mercell Group may access personal data about you in connection with our provision of services to you. The companies are located within EU/EEA in the following countries : Norway, Sweden,Denmark, Netherlands, Finland, Estonia, Lithuania, Latvia.

Processors and Subprocessors: Depending on the role of Mercell, the list of companies we might use to process data can vary. When acting as a Processor, the subprocessor list can be found in the DPA between Mercell and the customer. When acting as a Controler, the list of processors can be found in the previous section of the privacy policy or in the cookie policy, respectively

HOW DOES A USER ACCESS HIS/HER PERSONAL DATA, AND HOW CAN THIS INFORMATION BE RECTIFIED?

Each user is responsible for ensuring that the information registered is valid and correct, including that only use information that is relevant to the use of the portals is registered on behalf of the company to which the user belongs. The user will be suspended or permanently blocked from the portals if false information is entered upon registration, e.g., false name or inappropriate contact information.

Users who are logged on to the Mercell portals can control and update their own user profile. In the same part of the portals, it is possible to add and delete information that is not mandatory, including subscribing/unsubscribing for newsletters from Mercell. All user profiles that contain invalid information will be deleted without prior notice. If a user has forgotten their password, a request can be sent to create a new password by email.

If the user requires insight into registered data linked to the user's own personal data, this is logged in Mercell's portals. The user can contact Mercell at any time for information about logged information or other matters relating to personal data. Please see the contact information at the end of this document.

HOW LONG IS PERSONAL DATA STORED, AND HOW CAN A USER DELETE THEIR DATA?

The information is stored during the period that complies with the law, and Mercell will delete the information when it is no longer needed. The storage period depends on the type of information and why it should be stored:
• User profiles that are registered in connection with the purchase of Mercell licenses are deleted when they have been inactive for a period of 12 months after the license expiry date.
• User profiles that are registered in connection with the use of the Mercell portals without the purchase of licenses are deleted when they have been inactive for 12 months.
In public tendering processes, we are, in certain cases, required by law to preserve published information. Therefore, any user information included as part of such published information cannot be deleted unless Mercell receives a claim for this from the user/organization responsible for the data. This deletion must also be done in accordance with applicable law.
Users who have doubts about what information can be deleted, including information about when and where can contact Mercell. Please see the contact information at the end of this document.

YOUR RIGHTS

According to the GDPR, data subjects have several rights related to the processing of your personal data. Here you will find information about how you can exercise these rights towards Mercell in connection with the processing of your personal data. 
If you request us to exercise one or more of these rights, we will comply with your request within one month of its submission. The request can be directed to dpo@mercell.com and will strive to be answered in 20 business days. 

Access: you can send us a request for access to our processing of your personal data.

Correction: if you believe that the information we have stored about you is incorrect (e.g., email address or office), you can at any time request that we correct this.

Protest: if you do not want us to process your personal data, you can object to the processing.
Withdraw your consent: You may withdraw your consent at any time that we may store and process your personal data where such consent has been given. If you would like to withdraw your consent, please use the contact details below in this Privacy Notice.

Erasure: if you object to the processing of your personal data or you withdraw your consent, information that we have stored about you will be deleted on the condition that we have no other legal basis for retaining it. If you want your personal data deleted under other circumstances, you can easily direct an inquiry to us about this.

Data portability: you have the right to demand data portability for information about yourself that you have provided to Mercell, and which has a legal basis for processing in consent or agreement. If you wish to exercise your right to portability, the relevant information about you will be sent to you or a third party that you designate if this is technically possible.

Right to restrict the processing: if you want us to restrict the processing of your personal data, you can request this.

Right to complain to a supervisory authority: if you believe that our processing of your personal data should be in violation of the GDPR, or other data protection regulations, you have the right to complain about this to the Norwegian Data Protection Authority. Complaints can be submitted on their website;

Information not Contained in this Policy.

More details concerning the collection or processing of Personal Data can be requested from Mercell at any time. Please use the contact details provided in this document for such a request.

Changes to this privacy policy

Mercell reserves the right to make changes to this privacy policy at any time by notifying its Users on this webpage and possibly within this Website and/or by sending a notice to Users via any contact information available to Mercell. It is advisable and requested for users to frequently check this page, referring to the date of the last modification listed at the bottom.  In case the changes affect the processing activities performed on the basis of the User’s consent, Mercell shall collect new consent from the User, where required.

CUSTOMER SERVICE AND CONTACT WITH MERCELL


We are always happy to help you if you have any questions or concerns regarding your privacy. If you have any questions about the processing of your personal data, please use the contact details below. 
Our office is open 9am-4pm (CET), Monday to Friday. Office hours may differ on public holidays. 
Sales and general questions:  post@mercell.com
Data Privacy Request:  dpo@mercell.com